Monero Mining Malware Smominru Modified to Steal Sensitive User Data

A malware program called Smominru has been mining privacy oriented cryptocurrency Monero (XMR) on half a million infected computers. The malicious mining script has also been stealing sensitive user data.

Sophisticated, Multi-Stage Malware Detected

Carbon Black, an online security firm, revealed in a report released on August 7, 2019 that its Threat Analysis Unit found “a secondary component” in a well-known crypto mining campaign. The malware script has been modified to “also steal system access information for possible sale on the dark web,” the report noted. 

According to researchers at Carbon Black, a careful examination of the latest version of Smominru suggests:

“This discovery indicates a bigger trend of commodity malware evolving to mask a darker purpose and will force a change in the way cybersecurity professionals classify, investigate and protect themselves from threats.”

As detailed in the investigation report, the modifications in the malware were detected when the researchers found and examined unusual activity across several endpoints. The Carbon Black research team uncovered “sophisticated, multi-stage malware that was sending detailed system metadata to a network of hijacked web servers.”

The researchers at Carbon Black believe that this particular malware trend could potentially have far-reaching implications for the online security space. Per the report, these incidents might “catalyze a change in the way cybersecurity professionals classify, investigate and protect themselves from threats.”

Smominru First Detected in May 2017

The Smominru malware program was also detected in Janruary 2018, and previous reports indicate that the malicious scripts have been infecting computer systems since May 2017. 

Last year, researchers at online security firm Proofpoint confirmed that Smominru (also called Ismo) had been using a National Security Agency (NSA) exploit, known as EternalBlue, to infect computers with XMR mining malware.

According to reports, the EternalBlue exploit was launched by a group of hackers known as the Shadow Brokers, who may also have carried out the WannaCry ransomware attacks in 2017.

Monero Community Tries to Fight Back

In September 2018, the Monero community condemned all attacks involving bad actors who were hogging the computer resources of unsuspecting users to selfishly mine XMR. The Monero Malware WorkGroup was launched in order to provide users the tools and resources they would need to protect their computers from cryptojacking.

The Monero community members stated in a blog post,

“[We] condemn this malicious, non-consensual use of equipment to mine (XMR) … The Monero community does not want to sit idly by as victims struggle to understand the impact of mining and ransomware.”